Package: jupyterlab X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security
Hi, The following vulnerability was published for jupyterlab. CVE-2024-43805[0]: | jupyterlab is an extensible environment for interactive and | reproducible computing, based on the Jupyter Notebook Architecture. | This vulnerability depends on user interaction by opening a | malicious notebook with Markdown cells, or Markdown file using | JupyterLab preview feature. A malicious user can access any data | that the attacked user has access to as well as perform arbitrary | requests acting as the attacked user. JupyterLab v3.6.8, v4.2.5 and | Jupyter Notebook v7.2.2 have been patched to resolve this issue. | Users are advised to upgrade. There is no workaround for the | underlying DOM Clobbering susceptibility. However, select plugins | can be disabled on deployments which cannot update in a timely | fashion to minimise the risk. These are: 1. `@jupyterlab/mathjax- | extension:plugin` - users will loose ability to preview mathematical | equations. 2. `@jupyterlab/markdownviewer-extension:plugin` - users | will loose ability to open Markdown previews. 3. | `@jupyterlab/mathjax2-extension:plugin` (if installed with optional | `jupyterlab-mathjax2` package) - an older version of the mathjax | plugin for JupyterLab 4.x. To disable these extensions run: | ```jupyter labextension disable @jupyterlab/markdownviewer- | extension:plugin && jupyter labextension disable | @jupyterlab/mathjax-extension:plugin && jupyter labextension disable | @jupyterlab/mathjax2-extension:plugin ``` in bash. https://github.com/jupyterlab/jupyterlab/security/advisories/GHSA-9q39-rmj3-p4r2 If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-43805 https://www.cve.org/CVERecord?id=CVE-2024-43805 Please adjust the affected versions in the BTS as needed.
